Thursday, September 04, 2008

It has been about 4 years, or more, that I know about this problem, but for some reason I did not talk about it, scared by possible reactions.

In other words, I was waiting for some noise over the net, or some fix from Microsoft, but nothing is happening.

Actually, Microsoft is working hard on Internet Explorer 8, but the problem I am talking about, is still present ... so, I suppose it is time to tell you how dangerous this IE "feature" could be, and how dangerous could be to forget a little detail in a form, like the autocomplete attribute.

The magic autocomplete option

Every browser tries to make our net life as simple as possible, and when we start inserting data in an input field, it suggests us a couple of words or, if the name of that field is unique enough, directly the most probable word, name, or number, we are going to insert.To perform this operation, we could start typing the name, or simply use the down arrow button to open the list of options, and choose, usually, the first one.

More magic than ever

In some old Internet Explorer versions, like the the 6th one, when we are filling out a login form, we simply need to insert the name, or email, and the password field will be magically populated.This means that with 3 buttons, 2 down arrows, and 1 enter, we can perform a login.

Magic IE JavaScript

Internet Explorer allows JavaScript developers to fire events simulating user mode.This means that if we have a focus on an input field, and we fire the keydown event, with down arrow code, the suggested list of options will magically appear.At the same time, if we repeat the procedure, the first option is highlighted, and if we repeat the procedure again, the second option and so the third one, if any.More beautiful, is that if we fire the event another time, this time using the enter code, the field will be populated.

How to steal information from the Internet Explorer users

Accordingly, if a malicious website is replicating a form, which user has filled out ones on a genuine website and a dedicated JavaScript starts automatically interacting with the replicated form, the Internet Explorer will silently expose user's information, previously used in "who knows" how many different websites.A simple, well organized process could try different combinations N times, saving results in an object, or an array, and then sending that information via ajax or a basic get request to a server, allowing the malicious developer to save and reuse that information.

A real world example

To show you what I am talking about, I have created a simplified version of the described script.Most important things to remember:

any displayed information, if any, will not be saved, but only displayed in an alert window, so with my example your data is still your one

only Internet Explorer, as far as I know, allows JS developers to create such malicious code to embed in a webpage (that's why I posted about FireFox crash, few days ago :))

To perform this test, you need to use Internet Explorer. If you have never used, or used it only to debug or develop some web applications, please try to login into your favourite web services, for example Gmail.After that you can directly test my safe example page, and wait few seconds to know if my application was able to get your email account, or whatever else information.

Which websites expose user information?

I am sure this problem is not a secret for Microsoft IE Team, since in every login form, starting from hotmail, they force the atocomplete option to off.Therefore, it is not possible to steal, for example, hotmail emails, but if you use the same address to login in to another website, which for some reason does not implement the autocomplete off option, it becomes obvious how thousands of spammers can obtain our email addresses in such an easy way.Gmail login service (surprise!) does not implement the autocomplete off option, so if we use Internet Explorer to login into latter service, our Gmail account name could be easily exposed.The worst case scenario ever, is represented by Credit Card Forms, where if nobody though about this "little security problem", our Account Name, Credit Card, Verification Code, and whatever else private information, could be grabbed by malicious websites, without us noticing it.Of course, the expiration date is not that simple to retrieve, but what a powerful weapon this IE feature can be to enhance phishing?Just try to imagine a page, with similar URL, that already contains all information, but misses only the expiration date, requiring user verification.

As Summary

Other browsers probably know about this problem, since nobody lets JavaScript interact with webpages in the real user mode.The fix I can simply suggest, is to disable the autocomplete option in Internet Explorer or, even better, change the browser to be sure that if we are inputting our details on a website, that information will not be readable from any other website without our authorization.

3 comments:

I always thought about this when creating form inputs and using the autocomplete. For example naming an input "q" to access all past google searches (I do this for a youtube plugin), but I automatically assumed this was not accessible via JavaScript because that would be such a large security hole. Leave it to the IE guys though, to prove me wrong!

I also thought about a similar security risk with Mozilla's home function, but have not found a way to exploit it: http://readystate4.com/2008/06/30/mozillas-home-javascript-function/

Good catch! This worked on your example page in both IE6 and IE7 for me (didn't try IE8).

The page itself would have to include this malicious code. One obvious entry point: advertisers. Just like the O'Reilly porn redirects that took place awhile back, this could be used to steal u/p's. My bank better not be including random advertising JavaScript -- that would be something to check out.

I had been trusting Firefox's encrypting data, but after reading this, we tried it out. Sure enough, we found that form data (a credit card number) was accessible for autocompletion even though we diligently refused to give it the password (it asked for one on each character typed into a login field as it tried to autocomplete!)